Keeping an Eye Out for the Sinowal Trojan

RSA, EMC's security division, reported last week that its researchers found a treasure trove of financial data stolen by the Sinowal Trojan. Here is more background on the Trojan and RSA's findings.

After eWEEK published the initial story last week about RSA
finding a cache of data stolen by the Sinowal
Trojan, several readers requested additional information.
Here is a little more background on the Trojan, RSA's
findings and links
to more information. Also identified as Torpig and Mebroot, Sinowal has
rootkit elements that infect the Master Boot Record and allow it to hide.
The Trojan has many variants, some of which are detectable by traditional
anti-virus companies such as Symantec and McAfee. However, the number of
variants and their low distribution volumes make it difficult for security
vendors to keep track of the latest variants.

For the past six months, RSA has observed
at least 60 variants of the Trojan each month. A recent variant, submitted Oct.
21 to Virustotal, was detected by less than 30 percent of the 35 security
vendors given the file.

RSA investigators found nearly 300,000
online banking account credentials, as well as a roughly equal number of credit
and debit account numbers and associated personal information. The cache of
data represents bounty collected from Sinowal's victims as far back as February
2006.
"An analysis of the Sinowal Trojan itself identified a road map leading to
the location commonly known as the drop zone, a point where Trojans send their
stolen information," said Sean Brady, manager of identity protection at RSA,
EMC's security division. "The drop zone
itself was publicly exposed to the Internet, where the RSA
FraudAction Research Lab was able to address the database and recover the
credentials."

Once downloaded, Sinowal uses an HTML injection feature to inject new Web
pages or information fields into the victim's Web browser. When a user tries to
visit one of 2,700 financial service domains, the fake site pops up instead and
prompts the user for log-in or financial information. Detected variants target
Windows 2000, XP, Vista and Windows Server 2003,
according to various security vendors.
"The best initial line of defense is to maintain an up-to-date anti-virus
solution on your PC and use it to run a full system scan," Brady advised.
"However, the Sinowal Trojan can be challenging to detect once it is installed
locally, since it uses rootkit techniques designed to evade detection."
Brady recommended that users keep an eye out for changes to Web sites they
normally visit. For example, a prompt for personal information or for the user
to download files in order to view a video could be a tip-off.
"Knowing that their financial institutions should never randomly request
personal information online, such as log-in credentials or Social Security
numbers, [can be a defense]," he said.
For those looking for a list of financial institutions, RSA
has chosen not to publicize them, citing privacy and security. However, RSA
officials said they have reached out to affected institutions as well as
law enforcement.